Rewterz Threat Alert – Team9 Backdoor
June 3, 2020Rewterz Threat Advisory – CVE-2020-8174 – Node.js buffer overflow Vulnerability
June 3, 2020Rewterz Threat Alert – Team9 Backdoor
June 3, 2020Rewterz Threat Advisory – CVE-2020-8174 – Node.js buffer overflow Vulnerability
June 3, 2020Severity
High
Analysis Summary
CVE-2020-12411
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
CVE-2020-12408
Mozilla Firefox could allow a remote attacker to conduct spoofing attacks, caused by an error when browsing a document hosted on an IP address. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL.
CVE-2020-12407
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the leaking of arbitrary GPU memory to the visible screen when using border-image CSS directive. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVE-2020-12406
Mozilla Firefox is vulnerable to a denial of service, caused by a JavaScript type confusion with NativeTypes. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to possibly execute arbitrary code on the system or cause the browser to crash.
CVE-2020-12405
Mozilla Firefox is vulnerable to a denial of service, caused by a use-after-free in SharedWorkerService. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to cause the browser to crash.
CVE-2020-12399
Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by a timing timing attack when performing DSA signatures. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to leak private keys and obtain sensitive information.
CVE-2020-12409
Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by memory safety bugs within the browser engine. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service.
Impact
- Denial of service
- URL spoofing
- Information disclosure
Affected Vendors
Mozilla
Affected Products
- Mozilla Firefox 76
- Mozilla Firefox ESR 68.8
Remediation
Upgrade to latest versions.
- Firefox ESR 68.9
- Firefox 77